GetBusy CISO on How Compliance Has Become a Security Driver

Written by

GetBusy has a long history of operating several productivity software products across different geographies, despite the company being founded as recently as 2017.

The GetBusy group was born out of two firms, US-based SmartVault, and UK-based Virtual Cabinet, spinning off from their Australian owner, Reckon, to create their own entity.

Today, from its UK headquarters, GetBusy owns four different products and operates them worldwide.

Luke Kiely was hired as group CISO in October 2022 as well as CISO of SmartVault and Workiro, two of the four brands owned by GetBusy.

He explained to Infosecurity how cybersecurity regulations are helping him juggle all these missions.

Infosecurity Magazine: Many recent cyber-attacks were software supply chain attacks where adversaries exploited vulnerabilities in commodity software. What's your view on these attacks?

Luke Kiely: They make sense. It's an obvious course of action for adversaries to follow. Of course, it's easier to get into the supply chain through commodity software.

Managed service providers (MSPs) are a great example of that because they get access to tens of thousands of other companies' systems. Targeting these entities is an economy of scale for adversaries.

IM: How have these incidents changed the way you work?

LK: You must take it on a case-by-case basis. Take LastPass, for example. We were using LastPass when it was compromised. Our immediate reaction was that we needed to move away from using their service and start looking for another solution.

However, although changing providers was worth considering, I quickly decided to stick with LastPass because they've provided sufficient mitigation. We've also implemented mitigation techniques within our own systems to protect ourselves.

Moving from software to software doesn't change the fact that they are exposed to the same range of vulnerabilities, regardless of where you go. It really depends on the extent of each compromise and how reliant you are on one particular platform within your organization.

For us, for instance, it would take one of our critical pieces of software, such as Zendesk or Salesforce, to be compromised to start thinking of finding alternatives.

IM: To what extent has the software supply chain threat impacted how you deal with your products, like SmartVault or Wokiro?

LK: I'm not going to shy away from these threats: we're all on the brink of such a cyber incident happening to us. Anybody who says they didn't have it on their radar is lying to themselves.

The challenge we currently face is that there probably isn't enough transparency across industries to support people disclosing their security posture. There is a general appetite for using general high statements, saying things like "security is important to us" while hiding away from the fact that security brings risk.

"Globally, we need to stop using the term 'CISO' as the accountable party."

Also, there is not enough guidance on the expectations for businesses to comply on that front.

In any case, our vision for this year is to be a lot more transparent in how we operate. One of the things that we're making a conscious effort to do now is to broadcast the measures we take to enhance the security of our products.

Every reasonable security issue you can think of is being answered and made available to customers and suppliers, with evidence supporting our statements.

IM: Does this transparency effort include providing the dependencies your products rely on via a software bill of materials (SBOM), for instance?

LK: SBOMs are not there yet, but it's certainly something I've got on my roadmap.

Unfortunately, SBOMs can be either really expensive or complex and hard to manage.

However, they are precious tools that we should all start thinking of deploying soon. The White House's national cybersecurity strategy, published in 2023, specifically mentioned using SBOMs across supply chains, albeit detailing how complex they are to assemble. It shows that even at the government level, they understand the complexity and importance of such tools.

IM: GetBusy operates in North America and Europe. What are the key considerations to understand when operating across different geographies?

LK: My first and foremost approach is to look at compliance. In the US, the FTC Safeguards Rule drives a lot of what we're doing to support our customer base, which are companies themselves.

For example, we must implement two-factor authentication (2FA) into our product. Otherwise, our customers would infringe the FTC Safeguard Rule.

In Europe, we're now looking at complying with NIS 2, coming at the end of 2024, and DORA, coming in January 2025.

Read more: How DORA Will Force Financial Firms to Adopt Cyber Resilience

Those compliance requirements are built into our vulnerability management programs, meaning that our security controls are ultimately streamlined to comply with all regulations we’re subject to.  

Everyone used to do compliance out of necessity; now, for us, it has become the driver of our security journey.

IM: Besides your role as CISO of the GetBusy group, you are also CISO of two of the group's subsidiaries, SmartVault in the US and Workiro in the UK. What are the differences between being a CISO and being a Group CISO?

LK: Different hats, different perspectives, different requirements. In practice, they are two very different jobs.

Even though I sit across the group, I'm running two different security programs for both SmartVault and Workiro. Because I only have a team of three people - and because I want to - I'm still very hands-on. Still, I have to consider different jurisdictions and regulation landscapes, as we have discussed, as well as different work cultures in the US and the UK.

For instance, the CISO role in the UK is mainly driven by compliance requirements. It is much more business-driven in the US, needing to stay close to the products and embrace the board's strategic vision.

Globally, we need to stop using the term ‘CISO’ as the accountable party. First, a lot of organizations don't have a CISO. Then, every CISO has a different role. And finally, although we are responsible for security controls within organizations, ultimately, our CEOs and CFOs are the ones who are accountable.

IM: As a Group CISO, how are you positioned between the board and the operational teams?

LK: At the group level, I'm sitting with the C-suite.

In terms of operational controls, although I have no control over development functions, I have a say on some of the workflows and directions we want to take based on compliance and security requirements.

I have created a 'matrix' DevSecOps team, meaning the members come from different areas across the organization. They have different roles and come from different geographies and business units.

IM: GetBusy is a group made of several brands and products, some of which have been acquired. What are the security priorities during an M&A deal?

LK: During an M&A deal, you must keep in mind that you inherit the residual risk of the acquired company.

That means that every little thing has to be reviewed and risk-assessed according to what is culturally the right fit for the new entity combining the previous two companies. These things include security controls, but also technology stacks, work cultures, etc.

Instinctively, it could mean that the acquired company has to align with the security controls and culture of the acquirer, but it's not always the case. For instance, when GetBusy acquired SmartVault, the latter generated significantly more income and was based in the US, with a very different work culture than at GetBusy, based in the UK.

Therefore, although the acquirer traditionally sets the tone, there needs to be a balance of what fits best for the organization.

IM: What are your biggest concerns within cybersecurity today?

LK: Upcoming compliance requirements, supply chain risk - everything from the cleaner that comes into your organizations to your managed Amazon Web Services (AWS) - and general risk management are my most significant concerns right now.

IM: What are the biggest successes that you think the cybersecurity industry is experiencing today?

LK: Organizations have made significant progress in their compliance levels. And even more importantly, companies are starting to see the value of it.

Also, I feel like there is a general move towards better transparency in businesses, including when it comes to their security posture.

IM: If you could give one piece of advice to cybersecurity professionals, what would it be?

LK: I'll give you a few. Be more engaged with the workforce, more transparent with your partners, suppliers and customers, and more flexible and adaptable.

Last but not least, don't get into the habit of hiding risk.

What’s hot on Infosecurity Magazine?